lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: kluge at fujitsu.com.au (Steffen Kluge)
Subject: a PGP signed mail? Has to be spam!

On Wed, 2003-11-12 at 15:39, Michael Gale wrote:
> 	But public keys are only valid if you trust them

No, they can be expired or revoked, but not invalid. And yes, you either
trust a key or you don't.

A signature can be valid or invalid, i.e. decrypting the signature with
the matching public key yields a number that either does or doesn't
match the hash of the message. This has nothing to do with whether or
not you trust the key used for signing. A message can have a valid
signature made with an untrusted key.

>  -- the points in just
> because a person signs a e-mail with a PGP key and the key matches the
> from address does not mean it is NOT spam.

Correct. A good additional test would be to check whether you've got the
matching public key on your keyring, or even trust it. Even so, some
people may sign their emails regardless of whether they believe the
recipient is in possession of their public key, with makes this post
self-referential.

It's probably a good idea to raise the ham score for emails bearing a
sig from a known sender, and don't score emails based on the fact that
they are either not signed or signed by someone unknown.

> Also -- having a mail server check PGP sig's on e-mails it NOT an option
> -- think of the over head, the delay and time out if the server does not
> exist or no response. 

I don't think that'll be much of an additional overhead in the grand
scheme of things. Think of all the tests spam filters are running, let
alone virus scanners. Think of on-line look-ups (a la Razor). I don't
understand the server not responding bit. Which server?

If the corporate (or whatever) mail gateway does the spam filtering it
would be the one checking the sigs. All you have to do is maintain a key
ring with public keys of your recipients' peers. If you miss one, no
problem, since you won't score as spam if you can't verify the sig.

> This would cause major mailq build up's and could easier crash a mail
> system. 

Huh?

> Anti-spam tools - DCC, Razor, RBL, Bayesian Statistical Token Analysis
> and then whitelist and blacklist.
> 
> Not PGP checks.

Think about it.

Cheers
Steffen.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031112/ef53cea9/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ